Stikked

luks

From Sloppy Curlew, 9 Years ago, written in Plain Text.
URL http://geopaste.scratchbook.ch/view/cb45318e
Embed
Download Paste or View Raw
  1. #!/bin/bash
  2.  
  3. # Config
  4. EFI_PART=/dev/sda1
  5. LUKS_PART=/dev/sda2
  6. EFI_MNT=/root/boot
  7.  
  8. # Utils
  9. rbtohex() { ( od -An -vtx1 | tr -d ' \n' ) }
  10. hextorb() { ( tr '[:lower:]' '[:upper:]' | sed -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI'| xargs printf ) }
  11. l() { echo -en "$@" }
  12.  
  13. #
  14. # ---- The real work
  15. #
  16.  
  17. l "mount boot partition"
  18.  
  19. mkdir "$EFI_MNT"
  20. mkfs.vfat -F 32 -n uefi "$EFI_PART"
  21. mount "$EFI_PART" "$EFI_MNT"
  22.  
  23. l "setup crypt-storage"
  24. STORAGE=/crypt-storage/default
  25. mkdir -p "$(dirname $EFI_MNT$STORAGE)"
  26.  
  27. l "install gcc, ykpers and openssl"
  28. nix-env -i gcc-wrapper
  29. nix-env -i ykpers
  30. nix-env -i openssl
  31.  
  32. l "compile 'pbkdf2-sha512'"
  33. cc -O3 -I$(find / | grep "openssl/evp\.h" | head -1 | sed -e 's|/openssl/evp\.h$||g' | tr -d '\n') \
  34.    -L$(find / | grep "lib/libcrypto" | head -1 | sed -e 's|/libcrypto\..*$||g' | tr -d '\n') \
  35.    $(find / | grep "pbkdf2-sha512\.c" | head -1 | tr -d '\n') -o ./pbkdf2-sha512 -lcrypto
  36.  
  37. l "create salt"
  38. SALT_LENGTH=16
  39. salt="$(dd if=/dev/random bs=1 count=$SALT_LENGTH 2>/dev/null | rbtohex)"
  40.  
  41. l "create secret key for the yubikey"
  42. k_yubi="$(dd if=/dev/random bs=1 count=20 2>/dev/null | rbtohex)"
  43.  
  44. l "get the user passphrase (recommended)"
  45. read -s k_user
  46.  
  47. l "calculate initial yubikey challenge"
  48. challenge="$(echo -n $salt | openssl dgst -binary -sha512 | rbtohex)"
  49.  
  50. l "calculate the yk response"
  51. response="$(echo -n $challenge | hextorb | openssl dgst -binary -sha1 -mac HMAC -macopt hexkey:$k_yubi | rbtohex)"
  52.  
  53. l "derive the luks slot key"
  54. KEY_LENGTH=512
  55. ITERATIONS=1000000
  56.  
  57. if ( "${k_user}" != "" ); then
  58.     k_luks="$(echo -n $k_user | ./pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $response | rbtohex)"
  59. else
  60.     k_luks="$(echo | ./pbkdf2-sha512 $(($KEY_LENGTH / 8)) $ITERATIONS $response | rbtohex)"
  61. fi
  62.  
  63. l "create luks device"
  64. CIPHER=aes-xts-plain64
  65. HASH=sha512
  66. echo -n "$k_luks" |\
  67.     hextorb |\
  68.     cryptsetup luksFormat --cipher="$CIPHER" \
  69.                --key-size="$KEY_LENGTH" --hash="$HASH" --key-file=- "$LUKS_PART"
  70.  
  71. l "store secret key in then EFI partition"
  72. echo -ne "$salt\n$ITERATIONS" > $EFI_MNT$STORAGE
  73.  
  74. l "store the secret key on the yk"
  75. SLOT=2
  76. ykpersonalize -"$SLOT" -ochal-resp -ochal-hmac -a"$k_yubi"
  77.  
  78. l "open luks device"
  79. LUKSROOT=luksroot
  80. echo -n "$k_luks" | hextorb | cryptsetup luksOpen --key-file=- "$LUKS_PART" "$LUKSROOT"
  81.  
  82. l "umount the EFI partition"
  83. umount "$EFI_MNT"
  84.  
  85. l "\n\n\n    setup LVM \n\n\n"
  86. pvcreate "/dev/mapper/${LUKSROOT}"
  87.  
  88. l "Setup a volume group (partitions)"
  89. VGNAME=partitions
  90. vgcreate "$VGNAME" "/dev/mapper/$LUKSROOT"
  91.  
  92. l "set two logical partitions (root + swap)"
  93. lvcreate -L 4G -n swap "$VGNAME"
  94. FSROOT=fsroot
  95. lvcreate -l 100%FREE -n "$FSROOT" "$VGNAME"
  96.  
  97. vgchange -ay
  98.  
  99. l "make swap fs"
  100. mkswap -L swap /dev/partitions/swap
  101.  
  102. l "\n\n\n    BTRFS Setup \n\n\n"
  103.  
  104. l "Step 1: Create the main btrfs volume's filesystem."
  105. mkfs.btrfs -L "$FSROOT" "/dev/partitions/$FSROOT"
  106.  
  107. l "Should the above fail, you might have encountered a bug that can be solved with doing the following, then attempting the above again:"
  108. mkdir /mnt-root
  109. touch /mnt-root/nix-store.squashfs
  110.  
  111. l "Step 2: Mount the main btrfs volume."
  112. mount "/dev/partitions/$FSROOT" /mnt
  113.  
  114. l 'Step 3: Create the subvolumes, for example "root" and "home".'
  115. cd /mnt
  116. btrfs subvolume create root
  117. btrfs subvolume create home
  118.  
  119. l "Step 4: Create mountpoints on the root subvolume and finalise things for NixOS installation."
  120. umount /mnt
  121. mount -o subvol=root "/dev/partitions/$FSROOT" /mnt
  122.  
  123. mkdir /mnt/home
  124. mount -o subvol=home "/dev/partitions/$FSROOT" /mnt/home
  125.  
  126. mkdir /mnt/boot
  127. mount "EFI_PART" /mnt/boot
  128.  
  129. swapon /dev/partitions/swap
  130.  
  131. l "generate nix config"
  132. nixos-generate-config --root /mnt
  133.  
  134. l "READY to install!!!"
  135. l "\n\n edit the file /mnt/etc/nixos/configuration.nix"
  136.  
  137. echo <<EOF
  138. You must set the option boot.loader.grub.device to specify on which disk the GRUB boot loader is to be installed. Without it, NixOS cannot boot.
  139.  
  140. Another critical option is fileSystems, specifying the file systems that need to be mounted by NixOS. However, you typically don’t need to set it yourself, because nixos-generate-config sets it automatically in /mnt/etc/nixos/hardware-configuration.nix from your currently mounted file systems. (The configuration file hardware-configuration.nix is included from configuration.nix and will be overwritten by future invocations of nixos-generate-config; thus, you generally should not modify it.)
  141. EOF

Reply to "luks"